Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Audacity 1.3 Beta DLL Hijacking

🗓️ 01 Nov 2010 00:00:00Reported by Salvatore FrestaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 20 Views

Audacity 1.3 Beta DLL Hijacking Vulnerabilities

Code
`Audacity <= 1.3 Beta Multiple Local Vulnerabilities  
  
Name Audacity  
Vendor http://audacity.sourceforge.net  
Versions Affected <= 1.3 Beta  
  
Author Salvatore Fresta aka Drosophila  
Website http://www.salvatorefresta.net  
Contact salvatorefresta [at] gmail [dot] com  
Date 2010-10-29  
  
X. INDEX  
  
I. ABOUT THE APPLICATION  
II. DESCRIPTION  
III. ANALYSIS  
IV. SAMPLE CODE  
V. FIX  
  
  
I. ABOUT THE APPLICATION  
________________________  
  
Audacity is free, open source software for recording and  
editing sounds.  
  
  
II. DESCRIPTION  
_______________  
  
The vulnerabilities are caused due to the application  
loading libraries in an insecure manner.  
  
I tested the versions 1.2.6 (stable) and the 1.3 Beta.  
  
Other versions could be vulnerable.  
  
  
III. ANALYSIS  
_____________  
  
Summary:  
  
A) Unsafe DLL Loading  
B) DLL Hijacking  
  
  
A) Unsafe DLL Loading  
_____________________  
  
Audacity tries to load each DLLs present in the Plug-Ins  
directory without specifing any name. This can be  
exploited to execute arbitrary code with the privileges  
of the current logged user.  
  
I/O on filesystem and socket have been tested correctly.  
  
  
B) DLL Hijacking  
________________  
  
The Audacity's installation folder by defaul t doesn't   
contains DLLs files. When it tries to load some DLLs,  
first of all, looks at the installation directory and  
after in system32 directory.  
Due of this is possible to hijack the load operation in  
order to load a malicious DLL file with the same name.  
The following is the list of affected DLLs:  
  
wintrust.dll  
msasn1.dll  
msacm32.dll  
midimap.dll  
wsock32.dll  
ws2_32.dll  
ws2help.dll  
winmm.dll  
lpk.dll  
usp10.dll  
setupapi.dll  
crypt32.dll  
  
  
IV. SAMPLE CODE  
_______________  
  
A/B) Unsafe DLL Loading / DLL Hijacking  
  
  
The following is the sample code (evil.c) for  
wintrust.dll:  
  
// compile: gcc -shared -o psapi.dll evil.c  
  
#include <windows.h>  
  
BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)  
{  
  
MessageBox(0, "DLL Hijacking!", "Salvatore Fresta", MB_OK);  
  
return TRUE;  
}  
  
  
Just copy it to Plug-Ins directory to exploiting the  
first security flaw and into the installation directory  
to exploiting the second security flaw.  
  
  
V. FIX  
______  
  
No fix.  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Nov 2010 00:00Current
0.2Low risk
Vulners AI Score0.2
audacity softwarevulnerabilitiesdll loadingdll hijackingexploitationsecurity flawmalicious dllprivilege escalation
20